articles

How hackers profit from data breaches

It’s a truth about those of us who cover the endless stream of data breaches that the reporting largely tends to skew to one side. Namely, with a focus on the effect on the breached organization: how many records were accessed, what types of data, how much in damages the incident will cost the company, financially and in reputation, etc. Gunter Ollmann over at TechCrunch takes a look at the other side in a new piece, examining the perspective of the customers who become data breach victims. “[F]rom a victim’s perspective, does it make a difference if your information was included in a breach alongside 10,000 or 50,000,000 others?” he asks.

The answer is, not particularly. Quantity isn’t what makes the biggest splash in the cyber criminal ecosystem of data trading sites and dark web portals. What matters more, in the face of the rapidly depreciating value of stolen information after the breach has been publicized, is just how thorough the data dumps are. The more information retrieved, the higher price they fetch. Usernames and passwords alone aren’t easy to sell in bulk for much profit. Even stolen credit cards aren’t always the greatest cash cow of the bunch (and with the new chip technology increasing the efficiency of fraud detection/prevention, their value will go further down). Now, if the record up for sale contains a name, address, date of birth, social security number, driver’s license number, photo ID and bank account number, a hacker can get around $100 for that.

Quality, not quantity, wins out here.

Not so on the other side of the issue, for the breached organizations themselves, where the more records stolen, the worse the damage. Looking to pose an even larger threat in this regard, meanwhile, is the Internet of Things. Currently, about 10 billion smart devices worldwide constitute the IoT today, from smart phones to thermostats. As has often been reported, however, estimates see that number ballooning to 50 billion by 2020, likely including traffic lights and nuclear plants. Senior information officers from Symantec, Cisco, RSA Security and others have thus cautioned that the IoT, not state-sponsored hackers, represents the most critical danger to the tech industry and its ability to protect people’s sensitive information.

What do you think is the biggest threat: hackers, or IoT vulnerability?